Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:41

General

  • Target

    2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe

  • Size

    192KB

  • MD5

    81e1743ca873a4fd9ec172c5a57c236d

  • SHA1

    124af3bf4796489d6cd7df309631e1d88b4d9607

  • SHA256

    90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811

  • SHA512

    abc65e510002bd437512fa9edf7b8329280803c05941174f87dcd6a57be15c33fc4f7ba8b171473b54130c417f828fc31748e3114d76cc729c998cbc778dfb46

  • SSDEEP

    1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
      C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
        C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
          C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
            C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4376
            • C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
              C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4176
              • C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
                C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1352
                • C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
                  C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1456
                  • C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
                    C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4592
                    • C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
                      C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4904
                      • C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
                        C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2988
                        • C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
                          C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3508
                          • C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe
                            C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:644
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B39~1.EXE > nul
                            13⤵
                              PID:3504
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0C5A6~1.EXE > nul
                            12⤵
                              PID:2620
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{32F24~1.EXE > nul
                            11⤵
                              PID:684
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{794FA~1.EXE > nul
                            10⤵
                              PID:4896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D840C~1.EXE > nul
                            9⤵
                              PID:32
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{26800~1.EXE > nul
                            8⤵
                              PID:1680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F8BBA~1.EXE > nul
                            7⤵
                              PID:4012
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8B90D~1.EXE > nul
                            6⤵
                              PID:3424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ED33C~1.EXE > nul
                            5⤵
                              PID:1424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D65B8~1.EXE > nul
                            4⤵
                              PID:3112
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B92C2~1.EXE > nul
                            3⤵
                              PID:3076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:388

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe

                            Filesize

                            192KB

                            MD5

                            f6a62f6c23abc1fc11b0c8ee2d475888

                            SHA1

                            9065ab3c4ed47caec92dab3138fb9aad4febddfc

                            SHA256

                            78a3ff1171f4154707bfb22dc34a3035fcbec5dc2eaf3af19e288a8a8ae11b2b

                            SHA512

                            5aa1115bdab8dda5968efdacdd0bc08eef8c984193f5b6e1d126cbba6cabf895dd701142665b3302da19bd33dc003038d4187ec602fdbb84739b21da28d40c9a

                          • C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe

                            Filesize

                            192KB

                            MD5

                            b75db6f9365c24882c57d5ff83fe0dbf

                            SHA1

                            e64517d9d1b35735230361ddf0f822742b6706c3

                            SHA256

                            aaab70da9dd1c6c9ca98ddb7ee591ca94dd6367c1738e9c197a7bbb671e92e4c

                            SHA512

                            8b9713673bfb645d3059c1c1dff16a6ff9547315369e0edb80926d3c4255c36c6eb2096f974d23761cb7adf6466a6cfad5cd94769c12105616ac179af92a5a29

                          • C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe

                            Filesize

                            192KB

                            MD5

                            29fa0d25b2dd0b024c450fcd54db314f

                            SHA1

                            a01fbfb2248c8a57b43b3e5d713a2445eca2ef61

                            SHA256

                            17bb93fa291d0d528522b84addf81a02cb3d546ec13821de9dc8969a2c460810

                            SHA512

                            4bac242ee76a0105dd1e77e175a4c0f71eed7f548dcd9f1dda61f2e47dab28b65d339b5257f4070ccd6cc29ff14d9ec087b33378a88deca833c180d1c67b24c2

                          • C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe

                            Filesize

                            192KB

                            MD5

                            8ee5ed7f1030a4ccd9795db5e340fed7

                            SHA1

                            a96f84c7fbf7779562b5a3a227b6965eecc9ae0f

                            SHA256

                            0fbbf62a1871b9ff097b92f7916c2e54b98a89ee02ee969c2ce84e9396f9322d

                            SHA512

                            64acfaf9e57bc8a7339883bff2df0f29a56a174d74113a7896713538aae54b2e203b662929eb16d8b9f405a5e751534b528bca6aa4ea73d59e489033373917be

                          • C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe

                            Filesize

                            192KB

                            MD5

                            ee2f9d5b0a62a18843ce33ee95bcba4d

                            SHA1

                            bd6d3d6884c0a3d1bad8a6de6b77c4daaa0d8b13

                            SHA256

                            ac88b640c9478c7dafd34928773e01601926c8db1308df4367aa45631baddb64

                            SHA512

                            2229ebd603b96b5a71ba64c418eed52714e384b59e01ac36bbac9232d98049191e1789eb5c526abc4d4536392200e43d14ba7833edcdc9fe3a2618b7cbdc228d

                          • C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe

                            Filesize

                            192KB

                            MD5

                            9dec9cbef597c559fb48e55982d16108

                            SHA1

                            acba07de7127565cd44a0d9113d793a503ffaf9e

                            SHA256

                            7848b148da89da4b6aadff7092d5ec32b71bf503612daeedfdf73067783ff44e

                            SHA512

                            cc7eebc4188ad8ea076f8950650eb530b444b1ac11627d1b2cf4ff4c6bc7d3ff9d40ae1113a785d76007c7f36e4a35a93bfc7a8011c763d65c5c8be351bacc22

                          • C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe

                            Filesize

                            192KB

                            MD5

                            6962adeb8a2852c28b56bea84dc051b4

                            SHA1

                            5907305582039e400dd5d214a13f4a9bba30eb82

                            SHA256

                            480de0a304e17a1b8c0de5334d98abffd05466c1b16532b2b1ceed37369871cd

                            SHA512

                            c1f3b8cb3aac9f7f83eb7a47e4a91a79b7c4aef65a3ac8c4e3e5695b4e1fe3f54c24d8b572359537d2b6c7fe4a352c69d1e981089d7b1d5c4e6ec06ffea0bb6a

                          • C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe

                            Filesize

                            192KB

                            MD5

                            9671dae3d90688980dde21da52be1951

                            SHA1

                            d98e5f5bb90e0e57f6cf557ba6d2448759491b08

                            SHA256

                            bff45c304fbf073b11471f423f3088354d7a58904d93c51de531258d4a01c46b

                            SHA512

                            64f74269b5e907658c892411914039d44c280e94a5abda87353648811c6bf77e77241901c9fd96bad53049050866f00f20463a9cad4675812fafc9bfe2ceaddf

                          • C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe

                            Filesize

                            192KB

                            MD5

                            b504145634f79796411c82829d3921a7

                            SHA1

                            22fde7d1e723e8df472ea8c9d2a5e9263a0d0ba1

                            SHA256

                            9928f7e2740af14a3d8e59d7a84906602cff695ec24c3039d5444d0901aa1718

                            SHA512

                            043bcdab1c18f0ea3e0a8ef27765b192fda380828343a427bf6555f22172c0299f02259e5b4675740c94297595fb3b48822b2155d30e8d8e6917077066a53e56

                          • C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe

                            Filesize

                            192KB

                            MD5

                            96278c90470dc1f051d664f363d4ce1b

                            SHA1

                            a83a2bb684550a62bb7b499db2b20eda606a36d4

                            SHA256

                            47f63746c867b7385831a4c34ae29fb4a8eb97b5fc4eb3d29dfe86ba5565c34e

                            SHA512

                            bb7b2f64e50da6756d12f97c8cc8f0c9613d42bd3d2719d47dd14d1e52a709dc972301a2c22c8b4430b26174f0c1b886292c65221d69f9fb7eea61d970921e0d

                          • C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe

                            Filesize

                            192KB

                            MD5

                            fdfdc2075a8de66e869dafab01c012b5

                            SHA1

                            9aa543a7e925e9725b8f2b280ac5c06aad775724

                            SHA256

                            6c62934fcdcdcad6dfe8c91335ccbb51d9421e93f2918164f982a95552c19470

                            SHA512

                            68c9fc0be067dfe19d7e1b89ee4ef4f426f776e252f4b281cd01ea748044605770bfcf081361720617be7cfb970c521a1f25628b8c60c1b10f8dfb2231efddf2

                          • C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe

                            Filesize

                            192KB

                            MD5

                            65b5b533d1f2566f31037a8da7b498a3

                            SHA1

                            a185f384ba6de5c70fd76322f71aef42a74e81be

                            SHA256

                            89d58a4b2e734b314236d54c8eefb5cf0e70a324ac891cf9737b0a52abe99509

                            SHA512

                            244a6af78fa1cff489447e513fec448e626e58c1132c44f01ee3d518bb57ac7db2d4ba26d7e4bae18a36662aec88decd0ecbbb70bae56fa8e14b6ddedf45bb33